Professional Documents
Culture Documents
Effectiveness and Enforcement of The CAN-SPAM Act: A Report To Congress
Effectiveness and Enforcement of The CAN-SPAM Act: A Report To Congress
December 2005
Table of Contents
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i
I. Introduction and Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
II. Information-Gathering Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
III. Analyses and Recommendations Regarding Areas of Interest to Congress. . . . . . . . . . . 5
A. Technological and Marketplace Developments in Email since the Enactment of
CAN-SPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1. Since Enactment of CAN-SPAM, Spam Volume Has Begun to Decline as Has
Consumer Frustration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2. Anti-Spam Technologies Have Become More Effective and More Broadly
Deployed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3. Evolving Spamming Techniques and Types of Spam . . . . . . . . . . . . . . . . . . . . . . 15
4. Development of Effective Authentication Strategies May Counter the Rising
Threat of Malicious Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
5. Consumers Are Increasingly Using Mobile Devices to Access Their Email . . . . . 20
6. Impact of Technological and Marketplace Developments on CAN-SPAMs
Effectiveness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
B. International Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
1. The International Nature of Spam and the Obstacles It Presents for
Law Enforcers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2. FTC Efforts to Address Spam in the International Arena . . . . . . . . . . . . . . . . . . . . 26
3. Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
C. Protecting Consumers from Pornographic Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
1. Civil Enforcement of the Adult Labeling Rule . . . . . . . . . . . . . . . . . . . . . . . . . . 35
2. Criminal Enforcement by DOJ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
3. Other Protections from Pornographic Email; Services Offered by ISPs and
Commercially Available Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
4. State Initiatives Aimed at Protecting Children from Inappropriate Email . . . . . . . 39
5. Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
IV. Conclusion: Summary of Findings and Recommendations . . . . . . . . . . . . . . . . . . . . . . 42
Appendix 1: Analyses of CAN-SPAMs Substantive Provisions
Appendix 2: List of Interviews
Appendix 3: Part III of the Commissions National Do Not Email Registry Report
Appendix 4: Summary of the US SAFE WEB Act
Appendix 5: FTCs CAN-SPAM Cases
Appendix 6: ISPs CAN-SPAM Cases
Appendix 7: States CAN-SPAM Cases
Executive Summary
Executive Summary
Section 10 of the Controlling the Assault of Non-Solicited Pornography and
Marketing Act of 2003 (the CAN-SPAM Act, CAN-SPAM, or the Act), 15
U.S.C. 7709, requires the Federal Trade Commission (FTC or Commission)
to submit a report that provides a detailed analysis of the effectiveness and
enforcement of the provisions of this Act and the need (if any) for the Congress
to modify such provisions. The Act further directs that the Commission provide
analyses and recommendations regarding three specic areas of interest to
Congress: (1) the extent to which technological and marketplace developments,
including changes in the nature of the devices through which consumers access
their electronic mail messages, may affect the practicality and effectiveness of
the provisions of the Act; (2) how to address commercial electronic mail that
originates in or is transmitted through or to facilities or computers in other
nations, including initiatives or policy positions that the Federal Government
could pursue through international negotiations, fora, organizations, or
institutions; and (3) options for protecting consumers, including children,
from the receipt and viewing of commercial electronic mail that is obscene or
pornographic. This Report responds to the directive of Section 7709.
In preparing this Report, the Commission used several information-gathering
techniques to inform its analyses of the effectiveness and enforcement of CANSPAM and the three specic areas of inquiry set forth by Congress. Of course, the
Commissions direct enforcement experience under CAN-SPAM, as well as that
of other entities empowered to enforce it, provided a broad basis for analyzing
the issues addressed in the Report. In addition, FTC staff interviewed scores of
individuals, including consumer group representatives, email marketers, Internet
service providers (ISPs), law enforcers, and technologists. The Commission
used its compulsory process powers to require the nine ISPs that collectively
control over 60 percent of the market for consumer email accounts to provide
detailed information concerning their experiences with spam. The Commission
consulted with the federal and state agencies that have authority to enforce
CAN-SPAM. The views of the general public about the effectiveness of the Act,
provided in response to various CAN-SPAM rulemakings, were also considered.
Commission staff also conducted a broad review of articles published about CANSPAM since its passage, and engaged in its own independent research. Finally,
ii
Executive Summary
The Commission believes that three steps should be taken to further improve
the effectiveness of CAN-SPAM. First, while no modication to CAN-SPAM
is recommended, the Commission urges Congress to pass the US SAFE WEB
Act, which would signicantly improve the ability of the FTC to use CANSPAM to trace spammers and sellers whose operations are outside the borders of
the United States. This, in conjunction with ongoing international enforcement
and education efforts, will improve the ability of law enforcement to tackle the
challenges posed by the international nature of spam.
Second, the Commission believes that continued education efforts are
necessary to ensure that consumers are aware of the various ways in which they,
and their children, can be protected from receipt and viewing of sexually-explicit
spam. Tools available from ISPs and commercially available software, combined
with the protections inherent in the Act, can signicantly reduce the chance that
consumers, especially children, will be assaulted by pornography distributed via
spam.
Third, the Commission urges the continued improvement in anti-spam
technology and, in particular, domain-level authentication. This technology,
paired with reputation and accreditation systems, holds the greatest promise in
ensuring that spammers will not be able to continue to operate anonymously. The
Commission intends to fulll its promise to work to spur industry efforts to create
and deploy authentication technologies broadly.
iii
1. In general, CAN-SPAM sets forth a series of requirements and prohibitions relating to commercial and
transactional or relationship email messages, as dened by the Act. It creates ve new federal crimes,
and contains numerous civil provisions which, among other things, require: (1) accurate email transmission
information, (2) identication of the email senders physical location, and (3) provision of an opportunity to
opt out of receiving future mailings. Under CAN-SPAM, many federal agencies, including the FTC and the
Department of Justice, certain state law enforcement authorities, and Internet service providers, may le civil
suits to halt unlawful spammers. The Act also conferred rulemaking authority on the FTC and the Federal
Communications Commission.
2. For this Report, the Commission uses the popular term ISP when referring to an Internet service
provider, rather than the term used in the Act, a provider of Internet access service, except in Appendix
1.E.3, discussing 7707(c) (non-preemption of such entities email transmission policies). The Acts term is
derived from the denition of Internet access service in 15 U.S.C. 7702(11), which cross-references 47
U.S.C. 231(e)(4).
3. This Report discusses numerous federal statutes, including the CAN-SPAM Act, 15 U.S.C. 7701
et seq., the FTC Act, 15 U.S.C. 41 et seq., and certain provisions of federal criminal law relating to
computers, notably 18 U.S.C. 1037. To assist the reader, we cite uniformly to the U.S. Code throughout the
Report.
6. Because the ANPR required comments to be led by April 20, 2004, the comments reect the
commenters views concerning the effectiveness of the Act just four months after CAN-SPAM was enacted.
The Commission issued two subsequent Notices of Proposed Rulemaking (NPRMs) pursuant to CANSPAM. In the rst, the Primary Purpose rulemaking, the Commission announced a standard for determining
whether the primary purpose of an email is commercial. In the second, the Discretionary rulemaking,
the Commission is considering modifying the denitions of sender and valid physical postal address;
shortening the time frame for honoring a recipients opt-out request; limiting the information collected
when a recipient submits an opt-out request; and adding a denition of person. Comments received in
response to these NPRMs address some areas covered by this Report, including the effectiveness of the Act,
as well as marketplace developments, international transmission of email, and protecting consumers from
pornographic email. In all, 13,890 comments were received in these CAN-SPAM rulemakings. Throughout
this Report, citations to comments received in the Discretionary rulemaking identify the commenters name,
the term Comment followed by D, and the page of the comment being referenced. For instance, the
citation LashBack Comment D, 2 refers to page 2 of the comment submitted by LashBack LLC in the
Discretionary rulemaking.
7. See Top Etailers Compliance with CAN-SPAMs Opt-Out Provisions, a report by the FTCs
Division of Marketing Practices, at 3 (July 2005), available at http://www.ftc.gov/reports/optout05/
050801optoutetailersrpt.pdf.
8. See Email Address Harvesting and the Effectiveness of Anti-spam Filters, a report by the FTCs Division
of Marketing Practices, at 3 (Nov. 2005), available at http://www.ftc.gov/opa/2005/11/spamharvest.pdf.
9. The Commission has posted reports prepared by these two computer scientists online at http://www.ftc.
gov/reports/canspam05/expertrpts.htm. Citations to these expert reports identify the name of the expert
and the page of the report. For instance, the citation Bishop Report, 2 refers to a statement appearing on
page 2 of the report prepared by Matthew Bishop, Ph.D. Dr. Bishop served as a consultant to the FTC in the
preparation of the Do Not Email Registry Report, and Dr. Judge was a participant in the FTCs Spam Forum,
held in 2003.
10. The Commissions considerable prior experience with the issue of spam, including its enforcement
experience, its three-day Spam Forum held in the Spring of 2003, and the two-day Email Authentication
Summit sponsored by the FTC and the Commerce Departments National Institute of Standards and
Technology in the Fall of 2004, also guides its analyses of the issues discussed in this Report. The
Commission gained further expertise in the technological, legal, and economic issues concerning spam
through preparation of three prior reports to Congress pursuant to CAN-SPAM, each of which is available
online: (1) National Do Not Email Registry Report (June 2004), http://www.ftc.gov/reports/dneregistry/
report.pdf; (2) Informant Reward System Report (Sept. 2004), http://www.ftc.gov/reports/rewardsys/
040916rewardsysrpt.pdf; and (3) Subject Line Labeling Report (June 2005), http://www.ftc.gov/reports/
canspam05/050616canspamrpt.pdf.
indications that the volume of spam is declining, along with the level of
consumer frustration resulting from spam;
improvements in the effectiveness of anti-spam technologies and broader
deployment of such tools;
11. See, e.g., 15 U.S.C. 7701(a)(2) (In enacting CAN-SPAM, Congress found that [t]he convenience
and efciency of electronic mail are threatened by the extremely rapid growth in the volume of unsolicited
commercial electronic mail.); Senate Comm. on Commerce, Science and Transp., Rep. on the CAN-SPAM
Act of 2003, S. Rep. No. 108-102, at 6 (2003) (Left unchecked at its present rate of increase, spam may soon
undermine the usefulness and efciency of e-mail as a communications tool. Massive volumes of spam can
clog a computer network, slowing Internet service for those who share that network.).
12. Unsolicited Commercial E-Mail: Hearing Before the Senate Comm. on Commerce, Science and Transp.,
108th Cong., 1st Sess. (2003) (testimony of then Commissioners Orson Swindle and Mozelle Thompson on
behalf of the FTC). The Commissions testimony was informed by, among other things, a consensus view
that emerged among participants in the Commissions Spam Forum in the Spring of 2003: the volume of
email had reached a tipping point, requiring some action to avert deep erosion of public condence in email
that could hinder, or even destroy it, as a tool for communication and online commerce. Transcripts from the
FTCs Spam Forum are available at http://www.ftc.gov/bcp/workshops/spam/index.html.
20. VeriSign, Internet Security Intelligence Brieng, Nov. 2004, v. 2, issue 2, at 5-6, available at http://www.
verisign.com/static/017574.pdf. Of course, bandwidth is not the only cost imposed by spam. See infra notes
55-56.
21. Deborah Fallows, CAN-SPAM a Year Later, Pew Data Memo, April 2005, available at http://www.
pewinternet.org/pdfs/PIP_Spam_Ap05.pdf. According to Pew, fewer email users now say that spam is
undermining their trust in email, eroding their email use, or making life online unpleasant or annoying.
These ndings suggest that at least for now, the worst case scenario that spam will seriously degrade or
even destroy email is not happening, and that users are settling into a level of discomfort with spam that is
tolerable to them.
22. The Pew study did not link the reported decline in hostility toward spam to any particular development
since the enactment of the Act. Technological improvements during the past two years, particularly in email
ltering technology, have resulted in consumers receiving less spam in their inboxes.
23. See Top Etailers Compliance with CAN-SPAMs Opt-Out Provisions, a report by the FTCs
Division of Marketing Practices, at 3 (July 2005), available at http://www.ftc.gov/reports/optout05/
050801optoutetailersrpt.pdf.
port 25
Senders
Computer
Recipients
Computer
port 25
Spammers
Computer
Zombie
Drone
Recipients
Computer
port 25
Spammers
Computer
Zombie
Drone
10
11
12
13
48. These and other tips for reducing spam are included in the FTC publication Putting a Lid on Deceptive
Spam, July 2002, available at http://www.ftc.gov/bcp/conline/features/spam.pdf.
49. See, e.g., http://help.yahoo.com/help/us/mail/spam/spam-20.html (Yahoo! allows users to report spam
with the click of a button). See also Condential 6(b) responses.
50. See, e.g., http://www.earthlink.net/software/free/spamblocker/.
51. Condential 6(b) responses.
52. See Consumer Reports 2005 State of the Net Survey, Help on the Way?, Sept. 2005, Consumer
Reports; available at http://www.consumerreports.org/main/content/display.jsp?FOLDER%3C%3Efolder_id=
760035&ASSORTMENT%3C%3East_id=333133&bmUID=1128523344058 (recommending that consumers
should consider choosing an ISP based in part on its provision of anti-spam and other security features).
14
15
59. See Appendix 3 (setting forth a detailed explanation of spammers tactics to remain anonymous while
sending large volumes of spam).
60. Joe St Sauver, Spam Zombies and Inbound Flows to Compromised Customer Systems, presented at the
Messaging Anti-Abuse Working Group (MAAWG) General Meeting, Mar. 1, 2005, available at http://
darkwing.uoregon.edu/~joe/zombies.pdf.
61. Press release, MX Logic Reports Spam Accounts for 67 Percent of All Emails in 2005 (Sept. 22, 2005),
available at http://www.mxlogic.com/news_events/press_releases/09_22_05_SpamStats.html.
62. Condential 6(b) responses.
63. 15 U.S.C. 7702(9), (16). The Act denes the term initiate to include not only the origination of a
message, that is, pushing the button, but also procuring the origination of such message. The Act denes
the term procure to mean intentionally to pay or provide other consideration to, or induce another person
to initiate such message on ones behalf. 15 U.S.C. 7702(12). Thus, any entity paying another party to
send commercial email messages or inducing them to do so, is responsible for CAN-SPAM compliance. This
is one of the strengths of the CAN-SPAM Act.
16
17
18
74. There are other authentication technologies being developed in the marketplace, including DomainKeys
Identied Mail (DKIM), which uses public key cryptography to verify the source and contents of email
messages. For further discussion, see infra notes 76-77.
75. See The Urgent Need to Implement E-mail Authentication: A Value Proposal for Senders, Users, and
Domain Holders, Craig Spiezle, June 6, 2005, available at http://www.microsoft.com/technet/community/
columns/sectip/st0605.mspx.
76. In preparation for this Summit, the Commission and NIST solicited comments to help shape the agenda
in this rapidly-evolving area. Forty-three comments were received and posted on the Summit website. The
comments are available at http://www.ftc.gov/os/comments/emailauthentication/index.htm.
77. See http://www.emailauthentication.org. A second industry summit is planned for April 2006. See http://
www.emailauthentication.org/summit2006/summit2006.html.
19
20
21
22
B. International Issues
Section 7709(b)(2) of the CAN-SPAM Act requires that the Commission
provide analysis and recommendations concerning how to address commercial
electronic mail that originates in or is transmitted through or to facilities or
95. 15 U.S.C. 7701(a)(12).
96. See infra section III.B.3.a.
23
1. The International Nature of Spam and the Obstacles It Presents for Law
Enforcers
The Commission has found no reliable statistics on the percentage of spam
that comes from marketers located within or outside of the United States.97
Rampant spoong, and the use of open relays, proxies, and zombie drones often
make it impossible to determine the country from which a spam message has
originated.98
Despite the difculty in determining where spam messages originate, it is
clear that spam is often transmitted through facilities or computers in countries
other than the U.S. or contains hyperlinks to websites registered or hosted
abroad.99 This international aspect of spam frustrates FTC law enforcement
efforts because the Commission has no mechanism to compel information from
third parties located abroad about spam that may have come through their systems
or about websites registered or hosted offshore.
97. During numerous teleconferences among the FTC, ISPs, technologists, and others in July 2005, no
participants offered calculations in this regard. See, e.g., Pew: Fallows, 35 (I nd it very difcult to sort
through [the wide-ranging origination gures being reported]). MX Logic described the reported gures
of spams origin as cloudy and murky and very complicated because origins can be so easily masked,
for example by proxies and zombies. Telephone conversation with MX Logic (Aug. 24, 2005); Word to
the Wise: Adkins, 43-45 (noting that the term origin is ill dened [in the reporting] . . . [Different reports
measure] different things, some of them are measuring where the website happens to be hosted. Some
of them are measuring the language the spam is sent in. Some of them are measuring the compromised
machines that were used to send it. Some of them are measuring the spammers they believe were responsible
for it, where they live . . .); Microsoft: Goodman, 32 (determining where a spam message came from is a
difcult technical question because there are so many ways to obscure its origin).
98. FTC, National Do Not Email Registry: A Report to Congress at n.123 (June 2004), available at http://
www.ftc.gov/reports/dneregistry/report.pdf.
99. Unsolicited Commercial E-Mail: Hearing Before the Senate Comm. on Commerce, Science and Transp.,
108th Cong., 1st Sess. (2003) (testimony of then Commissioners Orson Swindle and Mozelle Thompson on
behalf of the FTC).
24
25
During spam investigations and litigation, the FTC often requests help
from its foreign counterparts to obtain information, such as corporate records,
telephone number subscriber information, court pleadings, and reports. To
improve this type of international cooperation, the FTC has undertaken efforts to
build informal enforcement cooperation networks.104
The London Action Plan on International Spam Enforcement Cooperation
(LAP) is one example of such collaboration. Begun by the FTC and the
United Kingdom Ofce of Fair Trading in 2004, the LAP is an informal
network of government agencies responsible for spam enforcement and private
sector representatives interested in enforcement of spam laws. Currently,
LAP membership spans ve continents, with 33 government agencies from 23
participating countries, as well as 24 private sector entities participating.105 LAP
members exchange information about spam investigations and enforcement
actions, mainly through periodic telephone conference calls.
103. The anti-spam approach adopted by the U.S. involves several components, including: enforcement,
regulation/legislation, encouragement of the development of technological solutions, encouragement of
self-regulatory efforts by industry, and education of consumers and businesses about spam and their role in
limiting its negative effects.
104. The international dimension to the spam problem affects criminal, as well as civil, law enforcement
under the Act. See Appendix 1.A. Because criminal law enforcement authority under CAN-SPAM lies
with DOJ, the Commission consulted with the Computer Crime and Intellectual Property Section of DOJs
Criminal Division, which has principal authority over DOJs position on international law enforcement in
connection with spam, in the preparation of this section of the Report.
105. Additional information on the LAP is available at http://www.ftc.gov/opa/2004/10/spamconference.htm.
26
27
International Advocacy
28
29
30
31
120. See Canadians Winning the War Against Spam; Spam Volumes Dropping for the First Time in Four
Years, and Attitudes Towards Email As a Communications Tool are Improving, Canadian Inter@ctive Reid
Rep., Mar. 10, 2005, press release available at http://www.ipsos-na.com/news/pressrelease.cfm?id=2594.
121. See Finnish Peoples Communication Capabilities in Interactive Society of the 2000s, Statistics Finland,
Reviews 2004/7 (on le with the FTC).
122. For example, several groups within the Asia Pacic Economic Cooperation (APEC) forum have
work plans relating to spam, including the APEC Electronic Commerce Steering Group and the APEC
Telecommunications and Information Working Group. As discussed earlier, the Spam Task Force of
the OECD has been organized to, among other things, facilitate international cooperation on spam. The
International Telecommunication Union (ITU) has also organized a study group to discuss spam. The
World Summit on the Information Society (WSIS), an ITU-organized summit, has held meetings on spam
and continues to be active in efforts to combat spam. In addition, the eCommerce Group of the Security and
Prosperity Partnership of North America (whose members are the U.S., Canada, and Mexico) has included
spam in its work plan.
32
33
civil law enforcement under the Adult Labeling Rule issued by the
Commission pursuant to CAN-SPAM to require subject line labeling of
sexually-explicit email messages;
criminal law enforcement under CAN-SPAM by DOJ;
technologies that consumers may use to protect themselves from receiving
and confronting such material;
127. Deborah Fallows, Spam: How It Is Hurting Email And Degrading Life On The Internet, Pew Internet &
Am. Life Project, Oct. 22, 2003.
128. AOL: Archie, 37 (noting that AOL has seen a dramatic drop in the amount of pornographic email
consumers are receiving); Microsoft: Goodman, 38 (commenting that Microsoft has seen fewer pornographic
emails entering its system).
129. Deborah Fallows, CAN-SPAM a Year Later, Pew Data Memo, Apr. 2005. In addition, of those who
have received pornographic email, 29 percent said they were receiving less than in the prior year, compared
to 16 percent who said they received more and 52 percent who saw no change. See also Pew: Fallows, 46.
130. See Pornographic Spam in Decline, Clearswift, July 13, 2005, available at http://www.clearswift.com/
news/item.aspx?ID=864.
131. Condential 6(b) responses (2004 and 2005). The ISP analyzed all pre-ltered email it received during
January and February of both years. Pre-ltered email constitutes the messages that enter the ISPs servers,
before it applies its anti-spam lters.
132. Columbia: Bellovin, 80; ESPC: Hughes, 57; ICC: Halpert, 39 (noting that CAN-SPAM has made
pornographic spam a risky business because marketers are more concerned about prosecution).
34
35
36
142. See Three Defendants Indicted, Fourth Pleads Guilty in Takedown of Major International Spam
Operation, Aug. 25, 2005, DOJ press release available at http://www.usdoj.gov/criminal/press_room/press_
releases/2005_4197_ereadattachment_Service.pdf. See also Appendix 1.A for a discussion of other criminal
CAN-SPAM actions brought by DOJ.
143. Id.
144. Id.
145. As mentioned in section III.A.2 supra, OnGuard Online offers practical advice about computer safety,
including ways to protect children while online. See http://www.onguardonline.gov.
146. Such image-blocking features have practical implications for email messages viewed in HTMLenabled email programs. An email message viewed in these programs can display a variety of content, such
as images and links to other documents. Text-based email programs cannot display images so an imageblocking feature would be unnecessary.
147. This section uses the term email programs to refer to both email clients and web-based email
programs. An email client is an application that runs on a personal computer or workstation that enables
one to send, receive and organize email. Microsofts Outlook, Mozillas Thunderbird, and Eudora Mail are
some examples of email clients. Web-based email programs, or webmail, offer functions similar to email
clients although typically not as advanced but are accessed via the Internet, and are often free to their
subscribers. Yahoo! Mail, Googles GMail, and Microsofts Hotmail are some examples of web-based email
programs.
37
148. A web server is a computer that delivers (serves up) les. See Bishop Report, 23.
149. See Bishop Report, 23.
150. For example, Google and AOL state that some of their products disable images in email from unknown
senders. Microsoft states that its Hotmail email program disables all images directed to a recipients
junkmail folder. Yahoo! offers its email users different levels of image blocking protection. Thunderbird,
an open source email program, states that it blocks remote images by default unless the sender appears in
the recipients personal address book. See http://mail.google.com/support; http://discover.aol.com/product/
spam.adp; http://join2.msn.com; http://antispam.yahoo.com/tools?tool=6; http://www.mozilla.org/projects/
thunderbird/changes.html; Microsoft: Goodman, 40. See also AT&T: Barszcz: 40 (AT&T offers its
subscribers image blocking as well). Microsofts Outlook 2003 blocks images by default unless the sender
appears on the recipients safe list. See http://ofce.microsoft.com/en-us/assistance/HP010440221033.
aspx.
151. Oregon: St Sauver, 44; Bigfoot: Della Penna, 54; Nortel: Lewis, 54; Microsoft: Goodman, 38. The
Commission notes that image-blocking also can protect consumers from material that may not constitute
sexually explicit content that is regulated by CAN-SPAM and the ALR, but nevertheless may be offensive
or inappropriate for children. However, the typical image-blocking feature blocks all images, not just
those that contain sexually-explicit content. This fact may implicate CAN-SPAM disclosure requirements,
which are discussed in detail in Appendix 1 sections B.3 to B.5. To remain compliant with CAN-SPAMs
requirement for conspicuous disclosures, marketers must ensure that all the mandatory CAN-SPAM
disclosures are clear to recipients even with images disabled, such as by including disclosures in plain
text, even when the image-blocking feature is turned on. See also Word to the Wise: Adkins, 55; Cantor
Comment D, 1 (expressing frustration with marketers who embed the required opt-out notice in an explicit
image. Thus, in order to take advantage of the opt-out mechanism, the recipient must download the explicit
image); LashBack Comment D, 2 (If the user has images disabled in their email client to protect [their]
privacy or [if] the image fails to load, then the user has no way of knowing there is an unsubscribe option.).
152. See, e.g., http://join.msn.com/?pgmarket=en-us&page=features/parental (MSNs parental controls);
http://site.aol.com/info/parentcontrol.html (AOLs parental controls); http://www.earthlink.net/software/free/
parentalcontrols/tour/control/ (Earthlinks parental controls).
153. Id.
38
154. Consumers appear to be taking advantage of whitelisting. A survey conducted by Bigfoot Interactive,
an email marketing company, reported that over half of those surveyed always added legitimate senders to
their address books. Email and Spam: Consumer Attitudes and Behaviors, Bigfoot Interactive, Feb. 2005.
Similarly, DoubleClick reported that 85 percent of respondents have utilized the Add to Address Book
function in email programs. DoubleClick 2005 Consumer Email Study, PowerPoint presentation, June 27,
2005 (on le with the FTC).
155. See, e.g., http://join.msn.com/?pgmarket=en-us&page=features/parental; http://discover.aol.com/
product/parental.adp and Earthlink Premieres Parental Controls Software, Sept. 30, 2003, Earthlink press
release available at http://www.earthlink.net/about/press/pr_parentalcontrols/. See also Columbia: Bellovin,
49 (noting that whitelisting is the simplest and best solution for young children).
156. See http://www.consumerreports.org/main/content/display_report.jsp?FOLDER%3C%3Efolder_
id=597365.
157. Pew: Fallows, 54; Digital Impact: Jalli, 63.
158. Amanda Lenhart, Protecting Teens Online, Pew Internet & Am. Life Project, Mar. 17, 2005.
159. Mich. Comp. Laws 752.1061 - 752.1068.
39
40
166. EFF: Newitz, 51; Experian: Goodman, 59-60 (noting that CAN-SPAM preempted many disparate state
laws and the implications of complying with multiple laws is impractical for legitimate senders). See also
Appendix 1.E.2 for a complete discussion of the preemption provision.
167. The need for this legislation is discussed in detail in section III.B.3.a supra. We reiterate this
recommendation here with respect to this specic type of spam.
41
42
2.
3.
4.
5.
1. In addition to the substantive provisions analyzed in this Appendix, the Act contains several sections which
are either procedural in nature or the subject of other extensive reports to Congress by the FTC. These sections,
not discussed in this Appendix, include: Section 1 Short Title; Section 2 Congressional Findings and Policy;
Section 3 Denitions; Section 9 Do-Not-Email-Registry (a separate report to Congress was submitted addressing
this section on June 16, 2004; see http://www.ftc.gov/reports/dneregistry/report.pdf); Section 11 Improving
Enforcement by Providing Rewards for Information about Violations; Labeling (the FTC has submitted two separate
reports to Congress addressing this section: one on September 16, 2004, see http://www.ftc.gov/reports/rewardsys/
040916rewardsysrpt.pdf; and one on June 16, 2005, see http://www.ftc.gov/reports/canspam05/050616canspamrpt.
pdf); Section 13 Regulations; Section 15 Separability; and Section 16 Effective Date.
2. For a detailed description of the parties and sources consulted in the preparation of the Report overall, see Report
section II and Appendix 2.
3. 15 U.S.C. 7704(d) contains the only other criminal provision in the Act, providing up to ve years in prison for
unlawful transmission of sexually-oriented spam. See Report section III.C.2.
4. DOJ has authority to enforce all of CAN-SPAMs criminal and civil provisions, except 15 U.S.C. 7705 (civil
seller liability).
5. The Commission also contacted the Federal Bureau of Investigation (FBI) to consult on the drafting of this
Report. FBI personnel did not respond with input before press time, due to demands associated with Hurricanes
Katrina and Rita.
A-1
This provision criminalizes hacking into computers to send spam, including through the use
of zombie drones.7 To date, DOJ has completed three prosecutions under Section 1037(a)(1).
First, in September 2004, Nicholas Tombros pled guilty in the Central District of California
to a violation of this section, after admitting to sending spam through wireless home networks
that had not been properly secured.8 Second, in February 2005, in the District of Arizona,
Andrew Ellifson pled guilty to a violation of this section, in addition to a conspiracy count, in
connection with sending obscene spam.9 Third, in June 2005 in the Northern District of Georgia,
Peter Moshou also pled guilty to a violation of this section, after admitting accessing an ISPs
computers without authorization in order to send spam promoting vacation timeshare services.10
6. As discussed in more detail below, guilty pleas have been obtained from Jason Smathers in the AOL spammer
case, Nicholas Tombros in the wi- spammer case, and Peter Moshou in the timeshare spammer case. A fourth
criminal prosecution in Arizona involving obscene spam and four individuals, one of whom has pled guilty to a
CAN-SPAM count, is discussed in section III.C.2 of the Report.
7. See section III.A.2 of the Report and Appendix 3 for more information about zombie drones.
8. See http://www.usdoj.gov/usao/cac/pr2004/131.html. Tombros sentencing has been postponed.
9. See Report section III.C.2. Ellifsons sentencing has been postponed.
10. Bill Montgomery, Guilty Plea a Win for Spam Act, Atlanta Journal-Constitution, July 1, 2005, at 4E. On
November 17, 2005, Moshou was sentenced to 12 months in prison and was ordered to pay $120,000 in restitution.
A-2
This provision was primarily designed to protect consumers against spammers who use
open relays and open proxies to disguise their identities.11 DOJ has completed one prosecution
under this paragraph of Section 1037. In February 2005, Jason Smathers, a former America
Online (AOL) employee, entered a plea of guilty to conspiracy to commit a violation of 18
U.S.C. 1037(a)(2). Smathers admitted stealing a proprietary AOL database containing screen
names and offering those screen names for sale to another individual who intended to send email
through open relays and open proxies. Smathers was sentenced to 15 months imprisonment in
August 2005.12
c.
This paragraph criminalizes the insertion of materially false information into email
headers,13 which makes it more difcult for recipients and ISPs to distinguish legitimate email
from spam. To date, there has been no prosecution solely under Section 1037(a)(3), although the
prosecutions under Sections 1037(a)(1) and 1037(a)(2) have also involved instances of header
falsication.
d.
A-3
14. See Judge Report, 6-8; Bishop Report 20-21. Blacklists are lists of known spammers, their IP addresses, and/
or their ISP (Internet service provider). Using this information, spam lters can block all messages coming from
known spammers and/or their ISPs. ISPs that fail to discipline spammers may nd all email from their legitimate
customers blocked by large numbers of recipients. This tactic forces the ISP to take action against spammers using
their systems because legitimate users do not want to be inconvenienced by having their email blocked. See
CipherTrust glossary available at http://www.ciphertrust.com/resources/glossary/index.php?term=B.
15. A prior conviction under 18 U.S.C. 1030 a similar criminal section concerning fraud and related activity in
connection with computers may also lead to the ve-year statutory maximum. 18 U.S.C. 1037(b)(1)(B).
A-4
A-5
A-6
18. Such plaintiffs have led dozens of suits under 15 U.S.C. 7704 against hundreds of known and John Doe
defendants both spammers who actually send email messages and those who hire them (sellers). Initial results of
these cases are positive, as discussed in sections A through D of this Appendix.
19. See Bishop Report, 4.
A-7
A-8
A-9
A-10
A-11
41. Section 7704(a)(3)(B) provides that: The person initiating a commercial electronic mail message may comply
with subparagraph (A)(i) by providing the recipient a list or menu from which the recipient may choose the specic
types of commercial electronic mail messages the recipient wants to receive or does not want to receive from the
sender, if the list or menu includes an option under which the recipient may choose not to receive any commercial
electronic mail from the sender.
42. Section 7704(a)(3)(C) provides that: A return electronic mail address or other mechanism does not fail to
satisfy the requirements of subparagraph (A) if it is unexpectedly and temporarily unable to receive messages or
process requests due to a technical problem beyond the control of the sender if the problem is corrected within a
reasonable time period.
43. 15 U.S.C. 7704(a)(4)(i)-(iv) (prohibiting senders and persons acting on their behalf from initiating commercial
email messages to those who have opted out, and prohibiting the sender or any other person who knows that the
recipient has opted out from selling, leasing, exchanging, or otherwise transferring opt-out email addresses for any
purpose other than compliance with the law).
44. The Acts 10-day time period for senders to honor a recipients opt-out request is currently under review
by the Commission, which has sought comments on a proposal to reduce the amount of time allowed to honor
an opt-out request to 3 days. See 70 FR 25426 (May 12, 2005) available at http://www.ftc.gov/os/2005/05/
05canspamregformfrn.pdf.
45. This is consistent with other reports of top etailer compliance since the passage of the Act. One study by
EmailLabs published in January 2004 showed that compliance with this provision, even during the rst month after
CAN-SPAM was enacted, was 95 percent. Press release, Confusion Reigns as Permission-Based Email Marketers
Comply With Some Requirements of CAN-SPAM but Not Others, EmailLabs (Jan. 27, 2004), available at http://
www.emaillabs.com/articles/news/CAN_SPAM_Compliance_audit.html.
A-12
A-13
A-14
A-15
A-16
64. See FTC v. Pacic Herbal Sciences, No. CV05-7247 RSWL (C.D. Cal. led Oct. 6, 2005).
65. In addition to the Optin Global case, brought jointly by the FTC and California, see supra note 62,
Massachusetts has alleged violations of this provision in two actions brought in state court. See Massachusetts v.
DC Enterprises (Suffolk Super. Ct. led June 30, 2004) and Massachusetts v. Kuvayev, et al. (Suffolk Super. Ct.
led May 11, 2005). ISPs have also alleged violations of this provision. See, e.g., EarthLink v. John Does 1 -25
(mortgage lead spammers) and EarthLink v. John Does 26 - 50 (prescription drug spammers) (N.D. Ga. led Oct.
27, 2004).
66. Some of those consulted in preparation for this Report expressed skepticism about the effectiveness of these
provisions as applied to criminal spammers, who were unlikely to comply, but noted that even as applied to criminal
spammers, the provision would allow for law enforcers to exact penalties for non-compliance. See Oregon: St
Sauver, 73; Columbia: Bellovin, 73.
67. Information about how to make a clear and conspicuous disclosure on the Internet or in email is set forth in
the Commissions publication Dot Com Disclosures: Information About Online Advertising, available at http://
www.ftc.gov/bcp/conline/pubs/buspubs/dotcom/index.html. While the disclosure must be evaluated in the context
of the advertisement as a whole, factors to consider in determining whether the disclosure is clear and conspicuous
include placement, prominence, and repetition.
A-17
A-18
72. A sampling of the messages received from the 100 etailers studied shows that 94 percent included an address
purporting to be that of the sender. The validity of the address was not tested for this purpose, so the compliance
rate shows the rate at which senders included an address, not necessarily the rate at which they included a valid
address.
73. See supra note 45 (citing to a survey by EmailLabs of top etailers compliance with this provision in
January 2004 which found that 56 percent of emails were compliant. It is not clear, however, from the published
methodology that this survey distinguished between messages that would be deemed commercial under the Act
and those that would be considered transactional or relationship messages. Because transactional messages are
exempt from this provision, counting them for the study would mean that the compliance rate is articially low. A
surprising nding from the same study showed that, in contrast to the address provision gures, 87 percent of the
messages studied offered an unsubscribe link, which, presumably, is a more burdensome provision with which
to comply.) Also, in April 2004, JupiterResearch reported that 64 percent of leading email marketers complied
with this provision; however, it is also difcult to assess the methodology used in this study. Press release,
JupiterResearch Finds Legitimate E-Mail Marketers Struggling With Federal CAN-SPAM Compliance (Apr. 20,
2004), available at http://www.jupitermedia.com/corporate/releases/04.04.20-newjupresearch.html.
74. See Impact of CAN-SPAM? Brightmail Finds Spam is Still Flowing, Feb. 2, 2004 (There are certain
provisions of the law noting the senders physical address in the message and including an opt-out mechanism
that Brightmail has seen in spam messages for years. Spammers include this information only to evade less
sophisticated lters the addresses they use are non-existent and their opt-outs are not legitimate.).
A-19
A-20
A-21
81. 149 Cong. Rec. S15945 (daily ed. Nov. 25, 2003).
A-22
82. The sections exemption from liability for third parties who provide goods or services to a seller imposes
additional evidentiary burdens on the Commission. If a seller were to create a straw middleman through which
it entered into contracts with the spammer, the Commission would need to demonstrate that the seller owned
more than 50 percent of the straw middleman or had actual knowledge that the spammer would be sending spam
containing false headers.
A-23
83. In addition to the FTC and DOJ, federal entities with enforcement authority under the Act are the FCC, the
Ofce of the Comptroller of the Currency, the Federal Reserve Board, the Federal Deposit Insurance Commission,
the Ofce of Thrift Supervision, the National Credit Union Administration, the Securities and Exchange
Commission, the Department of Transportation, the Department of Agriculture, and the Farm Credit Administration.
15 U.S.C. 7706(b). CAN-SPAM also grants enforcement authority to ISPs, state Attorneys General, and state
insurance commissioners. 15 U.S.C. 7706(g), (f), and (b)(6), respectively.
84. See Appendix 5. In seven of those 20 cases, the Commission sought civil penalties in addition to other equitable
relief for CAN-SPAM violations. The Ofce of Consumer Litigation, working with the U.S. Attorneys Ofces in
the various districts, led the cases pursuant to DOJs authority to seek civil penalties as a remedy on behalf of the
Commission. 15 U.S.C. 56(a). The Commission is aware of no federal entity, other than the FTC and DOJ, that
has initiated a civil action under CAN-SPAM.
85. 15 U.S.C. 7706(a) and (d). The other federal agencies with civil enforcement authority under the Act may
seek remedies provided by their own statutory grants. 15 U.S.C. 7706(c). Senate Comm. on Commerce, Science.
and Transp., Rep. on the CAN-SPAM Act of 2003, S. Rep. No. 108-102, at 20-21 (2003).
86. See http://www.ftc.gov/opa/2005/07/alrsweep.htm.
87. FTC v. Phoenix Avatar, No. 04C 2897 (N.D. Ill. judgment entered Mar. 29, 2005) (settlement of $15,000 and
suspended judgment of $230,000); FTC v. Global Web Promotions, No. 04C 3022 (N.D. Ill. judgment entered
June 16, 2005) (default judgment including $2.2 million in consumer redress); FTC v. Creaghan Harry, No. 04C
4790 (N.D. Ill. judgment entered May 5, 2005) (settlement of $485,000, with $215,000 payable immediately, and
suspended judgment of $5.9 million in consumer redress); FTC v. Global Net Solutions, No. CV-S-05-0002 (D. Nev.
orders of Aug. 4 and Sept. 8, 2005) (judgments totaling $700,018 in disgorgement).
88. See Appendix 7. The Commission is not aware of any action under the Act led by a state insurance
commissioner.
A-24
89. The maximum per-violation statutory damage gures are $250 for state Attorneys General and $100 for ISPs;
however, where certain techniques were used to send the spam, such as address harvesting, dictionary attacks and
hacking, the statutory damages may be tripled. 15 U.S.C. 7706(f)(3) (for states) and (g)(3) (for ISPs) (both
referencing the aggravated violations of 15 U.S.C. 7704(b)). One commenter with the State of California told the
Commission that CAN-SPAM could be improved for state enforcers by changing the legal remedy of damages to
penalties. CAOAG: Sweedler, 62 ([the mere] receipt of spam doesnt cause substantial economic damage to the
individual consumer) (emphasis added).
90. See Appendix 6. The FTC conducted an extensive literature review and contacted major ISPs in compiling
these data. These gures represent collective litigation data as of September 1, 2005.
91. For example, Microsoft obtained a $7 million settlement against defendant Scott Richter, and AOL received a
$13 million judgment against Braden Bourneval and Davis Wolfgang Hawke. See Elizabeth M. Gillespie, Microsoft
Receives $7M in Spam Settlement, Associated Press, Aug. 9, 2005, and Mike Musgrove, AOL Wins Judgment
Against Spammers, The Washington Post, Aug. 11, 2005, at D5.
92. See Report note 2.
A-25
A-26
96. CAOAG: Sweedler, 69-70 (noting that state penalty remedies are more reasonably obtainable through
prosecution . . .). The representative further noted that state laws often contain a right of private action, as well,
which would enable individual recipients to enforce the laws. CAOAG: Sweedler, 70-71. Some of those consulted
in preparation of this Report agreed that a private right of action would increase enforcement of the Act and benet
recipients who would aggressively pursue their legal rights. See, e.g., Oregon: St Sauver, 74. Still others disagree.
See, e.g., Columbia: Bellovin, 74 (agreeing that a private right of action would be of little practical use because
individuals would not have the resources, in most instances, to identify and track spammers). In addition, at
hearings held on the operation of the CAN-SPAM Act in May 2004, Senator McCain expressed skepticism about the
value of a private right of action. See CAN-SPAM Act: Hearing Before the Senate Comm. on Commerce, Science
and Transp., 108th Cong., 2d Sess. (2004) (I do not believe, however, that authorizing broad private rights of action
will improve enforcement efforts. If industry and government authorities spending vast resources in this effort
can only muster enough evidence to bring a grand total of 8 spam cases over the past 5 months, then private rights
of action will produce little more than expenses for legitimate businesses to fend off opportunistic trial lawyers.
Spammers will remain at large.).
97. EPIC: Hoofnagle, 64. See also Oregon: St Sauver, 83-84 (questioning whether uniformity in a domestic legal
scheme regulating email is necessary given the international nature of the medium and the multitude of international
laws and regulations with which marketers already must be comply).
98. Columbia: Bellovin, 83 ([T]o the extent that there is legitimate email advertising going on, and there certainly
is some of that by reputable companies, thats where preemption is good because then they only have to comply
with one set of rules.). Professor Bellovin went on to suggest that, ideally, state laws would only be preempted
with regard to those legitimate rms in compliance with CAN-SPAM, as a sort of safe harbor, leaving states free to
pursue bad actors under their own laws as well as CAN-SPAM. Id.
99. ESPC: Hughes, 75. See also DMA: Cerasale, 78-79. But see EPIC: Hoofnagle, 65 (expressing skepticism that
companies that can use sophisticated proling systems, that can in fact prole people down to the ZIP+4 level
cannot use similarly sophisticated technology to comply with a myriad of state email marketing laws).
A-27
A-28
103. 15 U.S.C. 7707(c). See White Buffalo Ventures, LLC v. University of Tex. at Austin, m 04-50362 (Aug. 2,
2005) (nding that while UT was a state subdivision, and thus arguably subject to the Acts preemption provision,
7707(b)(1), the university also clearly met the Acts denition of a provider of Internet access service, and was
thus entitled to set its own ltering policies).
104. FCC Order 04-194, adopted Aug. 4, 2004, available at http://hraunfoss.fcc.gov/edocs_public/attachmatch/
FCC-04-194A1.pdf, published at 69 Fed. Reg. 55765 (Sept. 16, 2004).
105. The rst posting of the wireless domain names list on the FCC website occurred on February 7, 2005, thirty
days before the start of enforcement. FCC Notice DA05-331, available at http://hraunfoss.fcc.gov/edocs_public/
attachmatch/DA-05-331A1.pdf. The list may be viewed at http://www.fcc.gov/cgb/policy/DomainNameDownload.
html.
A-29
106. The FCCs unique statutory enforcement scheme involving notice of unlawful conduct could impact the
agencys ability to enforce violations of this new rule effectively. Under the Communications Act, if a violator is
not an FCC licensee, the agency must rst issue a warning citation before it can issue a monetary forfeiture penalty.
47 U.S.C. 503(b)(5). CAN-SPAM violators typically are not FCC license holders; thus, the statutory citation
requirement is likely to be triggered in many FCC CAN-SPAM enforcement cases.
A-30
Organization
Date of Interview
Addicott, Kimberly
Verizon
7/27/2005
Adkins, Steve
7/26/2005
Alonzo, Mercedes
7/14/2005
Archie, Jennifer
AOL
7/27/2005
Baer, Josh
7/27/2005
Barszcz, Jim
AT&T
7/27/2005
Bays, Julie
7/14/2005
Bellovin, Steve
Columbia University
7/21/2005
Berkower, Elise
DoubleClick
7/27/2005
Bolton, Barbara
7/14/2005
Borenstein, Nathaniel
IBM
7/28/2005
Bowles, Elizabeth
Aristotle.net
7/27/2005
Brady, Betsy
Microsoft Corporation
7/27/2005
Castelli, Eric
LashBack LLC
7/26/2005
Cerasale, Jerry
7/27/2005
Chavez, Esther
7/14/2005
Clocker, Kimberly
Verizon
7/27/2005
Cohen, Jordan
Bigfoot Interactive
7/26/2005
Cohen, Stephen
7/14/2005
Colclasure, Sheila
Acxiom Corporation
7/28/2005
Coleman, Sana
7/14/2005
Collier, Lloyd
7/14/2005
Dailey, Thomas
Verizon
7/27/2005
DeGraff, Kenneth
Consumers Union
7/26/2005
Bigfoot Interactive
7/26/2005
Devlin, Brian
7/14/2005
Edelman, Ben
Harvard University
7/21/2005
Everett-Church, Ray
PrivacyClue LLC
7/20/2005
Fallows, Deborah
7/20/2005
Fisher, Ashley
7/14/2005
7/26/2005
Free, Peter
7/14/2005
Gasster, Liz
AT&T
7/27/2005
Organization
Date of Interview
Gerdes, Michael
7/14/2005
Goodman, Joshua
Microsoft Corporation
7/27/2005
Grant, Susan
7/26/2005
Hadeishi, Hajime
Hadley, Tony
Experian
7/27/2005
Hagan, Deborah
7/14/2005
Halpert, Jim
7/27/2005
Hawes, Gary
7/14/2005
Hedges, Chris
7/14/2005
Hochberg, Jane
7/14/2005
Hodapp, Larry
7/14/2005
Hoofnagle, Chris
7/20/2005
Hughes, Trevor
7/27/2005
7/27/2005
Ingles, Sherry
7/14/2005
Isaacson, Ben
Experian
7/27/2005
Jacobsen, Jennifer
7/27/2005
Jaglowski, Mary
State of Connecticut
7/14/2005
Jalli, Quinn
Digital Impact
7/27/2005
Jansen, Mark
7/14/2005
Kornblum, Aaron
Microsoft Corporation
7/27/2005
Leuer, Jennifer
Experian
7/27/2005
Levine, John
7/26/2005
Levy, Leslie
7/14/2005
Lewis, Chris
Nortel Networks
7/26/2005
Lieb, Rebecca
ClickZ Network
7/26/2005
Litwin, Hedda
7/14/2005
Malmerg, Kristin
7/14/2005
Mansourkia, Magnolia
(Maggie)
MCI
7/27/2005
Matties, Deborah
7/14/2005
McClellan, Bill
7/28/2005
McDonald, Susan
7/14/2005
McEldowney, Ken
Consumer Action
7/26/2005
7/26/05; 7/27/05
Organization
Date of Interview
Meyer, Jennifer
7/14/2005
Miller, Jay
7/14/2005
Moriyama, Michael
7/14/2005
Neumon, John
7/14/2005
Newitz, Annalee
7/20/2005
OMalley, Colin
TRUSTe
7/28/2005
Osburn, Alice
General Motors
7/28/2005
Petroff, Jim
7/14/2005
7/14/2005
Rohlich, Nelle
7/14/2005
Saulnier, Julie
7/14/2005
Schafer, Scott
7/14/2005
Schuelke, Brad
7/14/2005
Selis, Paula
7/14/2005
Sherry, Linda
Consumer Action
7/26/2005
Shull, Andrew
7/14/2005
Silversin, Louis
Singh, Tony
Department of Justice
7/14/2005
St Sauver, Joe
University of Oregon
7/21/2005
MCI
7/27/2005
Stansell, Maxine
7/14/2005
Stratton, Connie
7/14/2005
Swanson, Jodi
7/14/2005
Sweedler, Ian
7/14/2005
Taff, Thomas
7/14/2005
Teeluckingh, Anthony
Department of Justice
7/14/2005
Teter, Carolyn
7/14/2005
Weintraub, Ann
7/14/2005
Welch, Susan
7/28/2005
Williams, Bridgette
7/14/2005
Winterrowd, Dana
7/14/2005
Worley, Harriet
7/14/2005
7/26/05; 7/28/05
Appendix 3: Part III of the Commissions National Do Not Email Registry Report
Appendix 3: Part III of the Commissions National Do Not Email Registry Report
Appendix 3: Part III of the Commissions National Do Not Email Registry Report
Appendix 3: Part III of the Commissions National Do Not Email Registry Report
Appendix 3: Part III of the Commissions National Do Not Email Registry Report
Appendix 3: Part III of the Commissions National Do Not Email Registry Report
Broadening Reciprocal Information Sharing. (US SAFE WEB Act 4(a), 6(a))
Allows the FTC to share condential information in its les in consumer protection
matters with foreign law enforcers, subject to appropriate condentiality assurances.
Similar to longstanding SEC, CFTC, and federal banking agency authority. Needed
to allow the FTC to share information with foreign agencies to help them halt fraud,
deception, spam, spyware and other consumer protection law violations targeting U.S.
consumers. Also needed for the FTC to obtain, in return, foreign information required to
halt such illegal practices.
Expanding Investigative Cooperation. (US SAFE WEB Act 4(b) (adding FTC Act
6(j))) Allows the FTC to conduct investigations and discovery to help foreign law
enforcers in appropriate cases. Similar to longstanding SEC, CFTC, and federal banking
agency authority. Needed to allow the FTC to obtain information for foreign agencies
actions to halt fraud, deception, spam, spyware, and other consumer protection law
violations targeting U.S. consumers. Also needed to help the FTC to obtain, in return,
foreign investigative assistance in FTC cases.
Obtaining More Information from Foreign Sources. (US SAFE WEB Act 6(b))
Protects information provided by foreign enforcers from public disclosure if
condentiality is a condition of providing it. Similar to longstanding SEC and CFTC
authority. Needed because, without it, some foreign law enforcers will not give the FTC
information needed to halt fraud, deception, spam, and spyware.
Protecting the Condentiality of FTC Investigations. (US SAFE WEB Act 7)
Safeguards FTC investigations in a dened range of cases by (1) generally protecting
recipients of Commission CIDs from possible liability for keeping those CIDs
condential; (2) authorizing the Commission to seek a court order in appropriate cases
to preclude notice by the CID recipient to the investigative target for a limited time; and
(3) tailoring the mechanisms available to the Commission to seek delay of notication
currently required by the Right to Financial Privacy Act (RFPA) or the Electronic
Communications Privacy Act (ECPA), to better t FTC cases. Similar to longstanding
RFPA, ECPA, and securities law provisions. Needed to prevent notice to investigative
targets that are likely to destroy evidence or to move assets offshore or otherwise conceal
them, precluding redress to consumer victims.
Protecting Certain Entities Reporting Suspected Violations of Law. (US SAFE WEB
Act 8) Protects a limited category of appropriate entities from liability for voluntary
disclosures to the FTC about suspected fraud or deception, or about recovery of assets for
consumer redress. Similar to longstanding protections for nancial institutions making
disclosures of suspected wrongdoing to federal agencies. Needed because liability
concerns discourage third-party businesses from alerting the FTC to suspected law
violations or recoverable assets.
Allowing Information Sharing with Federal Financial and Market Regulators. (US
SAFE WEB Act 10) Adds the FTC to RFPAs list of nancial and market regulators
allowed to readily share appropriate information. The list already includes the SEC and
the CFTC. Needed to help the FTC track proceeds of fraud, deception, or other illegal
practices sent through U.S. banks to foreign jurisdictions, so they can be recovered and
returned to consumer victims.
Conrming the FTCs Remedial Authority in Cross-Border Cases. (US SAFE
WEB Act 3) Expressly conrms: 1) the FTCs authority to redress harm in the United
States caused by foreign wrongdoers and harm abroad caused by U.S. wrongdoers; and
2) the availability in cross-border cases of all remedies available to the FTC, including
restitution. Needed to avoid spurious challenges to jurisdiction in FTC cases and to
encourage the full range of remedies for U.S. consumer victims in foreign courts.
Enhancing Cooperation Between the FTC and DOJ in Foreign Litigation. (US
SAFE WEB Act 5) Permits the FTC to cooperate with DOJ in using additional staff
and nancial resources for foreign litigation of FTC matters. Needed because, without
additional resources to freeze foreign assets and enforce U.S. court judgments abroad,
fraudsters targeting U.S. consumers can more readily use the border as a shield against
law enforcement.
Clarifying FTC Authority to Make Criminal Referrals. (US SAFE WEB Act 4(b)
(adding FTC Act 6(k))) Expressly authorizes the FTC to make criminal referrals for
prosecution when violations of FTC law also violate U.S. criminal laws. Similar to
existing FTC authority to provide information to criminal authorities, a narrow express
criminal referral provision in the FTC Act, and an SEC provision. Needed because
foreign agencies that address consumer fraud and deception as a criminal (not civil)
law enforcement issue would be more willing to share information if FTC has express
authority to share information with criminal authorities.
Providing for Foreign Staff Exchange Programs. (US SAFE WEB Act 9)
Provides for foreign staff exchange arrangements between the FTC and foreign
government authorities, and permits the FTC to accept reimbursement for its costs in
these arrangements. Needed to improve international law enforcement cooperation in
crossborder matters.
Authorizing Expenditure of Funds on Joint Projects. (US SAFE WEB Act 4(b)
(adding FTC Act 6(l)), 4(c)) Authorizes the FTC to expend appropriated funds, not
to exceed $100,000 annually, toward operating expenses and other costs of cooperative
cross-border law enforcement projects and bilateral and multilateral meetings. Similar
to SEC authority. Needed to allow the FTC to help support valuable international
cooperative organizations and projects such as the website or consumer education
programs of the International Consumer Protection and Enforcement Network (ICPEN)
that foster the FTCs mission.
Leveraging FTCs Resources Through Reimbursement, Gift Acceptance, and
Voluntary and Uncompensated Services. (US SAFE WEB Act 11) Authorizes the
FTC to accept reimbursement for providing assistance to law enforcement agencies in the
U.S. or abroad, and to accept gifts and voluntary services in aid of the agencys mission
and consistent with ethical constraints. Similar to the authority of numerous regulatory
agencies, including the SEC and the CFTC, and of the FTC and DOJ in the antitrust
context, to accept reimbursements from foreign counterparts. Needed to assure that in
appropriate circumstances a foreign agency bears the costs of FTC efforts on their behalf,
and to enable the FTC to employ volunteers as our Canadian counterparts have done
successfully for years.
Requiring Report to Congress. (US SAFE WEB Act 13) Requires the FTC to report
to Congress within three years after the enactment of this Act, describing the FTCs use of
its new authority and recounting the number and types of requests for informationsharing
and investigative assistance, the disposition of such requests, the foreign law enforcement
agencies involved, and the nature of the information provided and received. Provides for
the report to include recommendations for additional legislation as appropriate. Needed
to provide important information to Congress on FTC accountability and cross-border
trends and needs.
Goods or Services
Status
Diet patch
15 U.S.C. 7704(a)(1)
15 U.S.C. 7704(a)(5)
Settlement.
15 U.S.C. 7704(a)(1)
15 U.S.C. 7704(a)(5)
Default
judgment.
15 U.S.C. 7704(a)(1)
15 U.S.C. 7704(a)(5)
Settlement.
Envelope-stufng
opportunity
15 U.S.C. 7704(a)(1)
15 U.S.C. 7704(a)(5)
Settlement.
15 U.S.C. 7704(a)(1)
15 U.S.C. 7704(a)(5)(A)
Discovery.
Sexually-oriented
content
15 U.S.C. 7704(a)(1)
15 U.S.C. 7704(a)(2)
15 U.S.C. 7704(a)(4)(A)(i)
15 U.S.C. 7704(a)(5)(A)(ii) or 15 U.S.C. 7704(a)(3)
15 U.S.C. 7704(a)(5)(A)(iii)
15 U.S.C. 7704(d); 16 C.F.R. 316.1(a)(1)
Settlement.
Goods or Services
Status
Envelope-stufng
opportunity
15 U.S.C. 7704(a)(2)
Discovery.
15 U.S.C. 7704(a)(1)
15 U.S.C. 7704(a)(2)
15 U.S.C. 7704(a)(4)(A)(i)
15 U.S.C. 7704(a)(5)(A)(i)
15 U.S.C. 7704(a)(5)(A)(ii) or 15 U.S.C. 7704(a)(3)
15 U.S.C. 7704(a)(5)(A)(iii)
Discovery.
Sexually-oriented
content
15 U.S.C. 7704(a)(1)
15 U.S.C. 7704(a)(2)
15 U.S.C. 7704(a)(5)(A)(ii) or 15 U.S.C. 7704(a)(3)
15 U.S.C. 7704(a)(5)(A)(iii)
15 U.S.C. 7704(d); 16 C.F.R. 316.4
Discovery.
Spyware removal
software
15 U.S.C. 7704(a)(1)
15 U.S.C. 7704(a)(3)
15 U.S.C. 7704(a)(5)(A)(i-iii)
Discovery.
Sexually-oriented
content
Discovery.
Sexually-oriented
content
Settlement.
Sexually-oriented
content
Settlement.
Sexually-oriented
content
Settlement.
Caption
Caption
Goods or Services
Status
Sexually-oriented
content
Settlement.
Sexually-oriented
content
Discovery.
Sexually-oriented
content
Discovery.
15 U.S.C. 7704(a)(1)
15 U.S.C. 7704(a)(2)
15 U.S.C. 7704(a)(5)(A)(ii) or 15 U.S.C. 7704(a)(3)
15 U.S.C. 7704(a)(5)(A) (i) and (iii)
Discovery.
15 U.S.C. 7704(a)(1)
15 U.S.C. 7704(a)(2)
15 U.S.C. 7704(a)(5)(A)(ii) or 15 U.S.C. 7704(a)(3)
15 U.S.C. 7704(a)(5)(A)(iii)
Pre-discovery.
Fuel efciency
enhancing devices and
mortgage loans
15 U.S.C. 7704(a)(1)
15 U.S.C. 7704(a)(2)
15 U.S.C. 7704(a)(5)(A)(ii) or 15 U.S.C. 7704(a)(3)
15 U.S.C. 7704(a)(5)(A)(iii)
Pre-discovery.
Goods or Services
Status
15 U.S.C. 7704(a)(1)
15 U.S.C. 7704(a)(4)
15 U.S.C. 7704(a)(5)(A)(iii)
15 U.S.C. 7704(b)(1)(A)(i)
15 U.S.C. 7704(b)(1)(A)(ii)
Settlement.
Sexual enhancement
products, banned CD,
and ephedra pills
15 U.S.C. 7704(a)(1)
15 U.S.C. 7704(a)(2)
15 U.S.C. 7704(a)(3)
15 U.S.C. 7704(a)(5)
Settlement.
Final judgment.
Vacation timeshares
and get-rich-quick
offers
15 U.S.C. 7704(a)(1)
15 U.S.C. 7704(a)(2)
15 U.S.C. 7704(a)(3)
15 U.S.C. 7704(a)(5)
Settlement.
Final judgment.
Various goods,
includubg prescription
drugs, mortgage
services, cable
descramblers, college
diplomas, and get-richquick schemes
15 U.S.C. 7704(a)(1)
15 U.S.C. 7704(a)(2)
15 U.S.C. 7704(a)(3)(A)(i)
15 U.S.C. 7704(a)(3)(A)(ii)
15 U.S.C. 7704(a)(4)(A)
15 U.S.C. 7704(a)(5)(A)
15 U.S.C. 7704(b)(1)(A)(i)
15 U.S.C. 7704(b)(1)(A)(ii)
15 U.S.C. 7704(b)(2)
15 U.S.C. 7704(b)(3)
Dismissed.
1. FTC staff compiled this Appendix from information provided by top ISPs and from publicly available sources. Other federal court cases may have been led by
other ISPs. Additionally, ISPs have led dozens of CAN-SPAM cases in state court, but these cases are not summarized in this Appendix.
Goods or Services
Status
Automated multi-level
marketing program
15 U.S.C. 7704(a)(1)
15 U.S.C. 7704(a)(2)
15 U.S.C. 7704(a)(3)
15 U.S.C. 7704(a)(5)
Settlement.
Default
judgment.
Summary
judgment.
Super viagra or
weight loss patches
15 U.S.C. 7704(a)(1)
15 U.S.C. 7704(a)(2)
15 U.S.C. 7704(a)(3)
15 U.S.C. 7704(a)(5)
Default
judgment.
Life insurance,
mortgage and debt
consolidation, and
travel services
15 U.S.C. 7704(a)(1)
15 U.S.C. 7704(a)(2)
15 U.S.C. 7704(a)(3)
15 U.S.C. 7704(a)(5)
15 U.S.C. 7704(b)(1)
Settlement.
Free grants
15 U.S.C. 7704(a)(1)
15 U.S.C. 7704(a)(2)
15 U.S.C. 7704(a)(3)
15 U.S.C. 7704(a)(5)
Settlement.
Sexually-oriented
content
15 U.S.C. 7704(a)(1)
15 U.S.C. 7704(a)(2)
15 U.S.C. 7704(a)(3)(A)(i)
15 U.S.C. 7704(a)(3)(A)(ii)
15 U.S.C. 7704(a)(4)(A)
15 U.S.C. 7704(a)(5)(A)
15 U.S.C. 7704(b)(1)(A)(i)
15 U.S.C. 7704(b)(1)(A)(ii)
15 U.S.C. 7704(b)(2)
15 U.S.C. 7704(b)(3)
Discovery.
Prescription drugs
15 U.S.C. 7704(a)(1)
15 U.S.C. 7704(a)(2)
15 U.S.C. 7704(a)(3)
15 U.S.C. 7704(a)(5)
Settlement.
Caption
Caption
Goods or Services
Status
15 U.S.C. 7704(a)(1)
15 U.S.C. 7704(a)(2)
15 U.S.C. 7704(a)(3)
15 U.S.C. 7704(a)(5)
Settlement.
Discovery.
15 U.S.C. 7704(a)(1)(A)
15 U.S.C. 7704(a)(1)(B)
15 U.S.C. 7704(a)(1)(C)
15 U.S.C. 7704(a)(2)
15 U.S.C. 7704(a)(3)(A)(i)
15 U.S.C. 7704(a)(3)(A)(ii)
15 U.S.C. 7704(a)(4)(A)(i)
15 U.S.C. 7704(a)(4)(A)(ii)
15 U.S.C. 7704(a)(4)(A)(iii)
15 U.S.C. 7704(a)(4)(A)(iv)
15 U.S.C. 7704(a)(5)(A)(i)
15 U.S.C. 7704(a)(5)(A)(ii)
15 U.S.C. 7704(a)(5)(A)(iii)
15 U.S.C. 7704(b)(1)(A)(i)
15 U.S.C. 7704(b)(1)(A)(ii)
15 U.S.C. 7704(b)(2)
15 U.S.C. 7704(b)(3)
Discovery.
Sexual enhancement
products
15 U.S.C. 7704(a)(1)
15 U.S.C. 7704(a)(2)
15 U.S.C. 7704(a)(3)
15 U.S.C. 7704(a)(5)
Dismissed.
Discounted mortgage
services
15 U.S.C. 7704(a)(1)
15 U.S.C. 7704(a)(2)
15 U.S.C. 7704(a)(3)
15 U.S.C. 7704(a)(5)
Default
judgment.
Training to increase
prots on eBay
15 U.S.C. 7704(a)(1)
15 U.S.C. 7704(a)(2)
15 U.S.C. 7704(a)(3)
15 U.S.C. 7704(a)(5)
Discovery.
Goods or Services
Status
Sexually-oriented
content
15 U.S.C. 7704(a)(1)
15 U.S.C. 7704(a)(3)
15 U.S.C. 7704(a)(5)
Settlement.
Mortgage leads
15 U.S.C. 7704(a)(1)
15 U.S.C. 7704(a)(2)
15 U.S.C. 7704(a)(3)
15 U.S.C. 7704(a)(5)
Settlement.
Discovery.
Timeshare brokerage
services
15 U.S.C. 7704(a)(1)
15 U.S.C. 7704(a)(2)
15 U.S.C. 7704(a)(3)(A)(i)
15 U.S.C. 7704(a)(3)(A)(ii)
15 U.S.C. 7704(a)(4)(A)
15 U.S.C. 7704(a)(5)(A)
15 U.S.C. 7704(b)(1)(A)(i)
15 U.S.C. 7704(b)(1)(A)(ii)
15 U.S.C. 7704(b)(2)
15 U.S.C. 7704(b)(3)
Discovery.
Cable descramblers
and college diplomas
15 U.S.C. 7704(a)(1)
15 U.S.C. 7704(a)(2)
15 U.S.C. 7704(a)(3)(A)(i)
15 U.S.C. 7704(a)(3)(A)(ii)
15 U.S.C. 7704(a)(4)(A)
15 U.S.C. 7704(a)(5)(A)
15 U.S.C. 7704(b)(1)(A)(i)
15 U.S.C. 7704(b)(1)(A)(ii)
15 U.S.C. 7704(b)(2)
15 U.S.C. 7704(b)(3)
Settlement.
Caption
Caption
Goods or Services
Status
15 U.S.C. 7704(a)(1)
15 U.S.C. 7704(a)(2)
15 U.S.C. 7704(a)(3)(A)(i)
15 U.S.C. 7704(a)(3)(A)(ii)
15 U.S.C. 7704(a)(4)(A)
15 U.S.C. 7704(a)(5)(A)
15 U.S.C. 7704(b)(1)(A)(i)
15 U.S.C. 7704(b)(1)(A)(ii)
15 U.S.C. 7704(b)(2)
15 U.S.C. 7704(b)(3)
Default
judgment.
Mortgage leads
15 U.S.C. 7704(a)(1)
15 U.S.C. 7704(a)(2)
15 U.S.C. 7704(a)(3)(A)(i)
15 U.S.C. 7704(a)(3)(A)(ii)
15 U.S.C. 7704(a)(4)(A)
15 U.S.C. 7704(a)(5)(A)
15 U.S.C. 7704(b)(1)(A)(i)
15 U.S.C. 7704(b)(1)(A)(ii)
15 U.S.C. 7704(b)(2)
15 U.S.C. 7704(b)(3)
Settlement.
Discovery.
Mortgage leads
15 U.S.C. 7704(a)(1)
15 U.S.C. 7704(a)(2)
15 U.S.C. 7704(a)(3)(A)(i)
15 U.S.C. 7704(a)(3)(A)(ii)
15 U.S.C. 7704(a)(4)(A)
15 U.S.C. 7704(a)(5)(A)
15 U.S.C. 7704(b)(1)(A)(i)
15 U.S.C. 7704(b)(1)(A)(ii)
15 U.S.C. 7704(b)(2)
15 U.S.C. 7704(b)(3)
Default
judgment.
Discovery.
Cable descramblers
and sexually-oriented
content
15 U.S.C. 7704(a)(1)
15 U.S.C. 7704(a)(2)
15 U.S.C. 7704(a)(3)
15 U.S.C. 7704(a)(5)
Discovery.
Computer printer
supplies
Goods or Services
Status
Prescription drugs
15 U.S.C. 7704(a)(1)
15 U.S.C. 7704(a)(2)
15 U.S.C. 7704(a)(3)
15 U.S.C. 7704(a)(5)
15 U.S.C. 7704(b)(3)
Discovery.
Prescription drugs
15 U.S.C. 7704(a)(1)
15 U.S.C. 7704(a)(3)
15 U.S.C. 7704(a)(5)
Discovery.
Mortgates, debt
consolidation and
online dating services
15 U.S.C. 7704(a)(2)
15 U.S.C. 7704(a)(3)
15 U.S.C. 7704(a)(5)
Discovery.
Various goods,
including mail-order
coffee, vacations, loan
consolidation, and
credit gift cards
15 U.S.C. 7704(a)(2)
15 U.S.C. 7704(a)(5)
Discovery.
Caption
Goods or Services
Status
Desktop computer
sales targeted to nonprot groups
15 U.S.C. 7704(a)(1)
15 U.S.C. 7704(a)(2)
15 U.S.C. 7704(a)(4)(A)(i)
Discovery.
Numerous types of
services, including
mortgage services,
debt counseling, and
warranty services
15 U.S.C. 7704(a)(2)
15 U.S.C. 7704(a)(5)
Discovery.
Various products,
including auto
warranties,
pharmaceutical
products, online college
degree programs, and
mortgage services
15 U.S.C. 7704(a)(1)
15 U.S.C. 7704(a)(2)
15 U.S.C. 7704(a)(3)
15 U.S.C. 7704(a)(4)(A)(i)
15 U.S.C. 7704(a)(5)(A)(i)
15 U.S.C. 7704(a)(5)(A)(ii)
15 U.S.C. 7704(a)(5)(A)(iii)
Discovery.
1. State cases led in state court, rather than federal court, include:
Massachusetts v. DC Enterprises and William Carson. Suffolk superior court; led June 30, 2004, alleging violations of 15 U.S.C. 7704(a)(1),
7704(a)(3)(A)(i) and (ii), and 7704(a)(5)(A)(i) and (iii) for mortgage brokering services. Settlement announced Oct. 7, 2004 including $25,000 civil penalty
and injunction;
Florida v. Scott Filary and Donald Townsend. Circuit court for 13th Judicial Circuit, Hillsborough County, Fla.; led April 4, 2005, alleging violations of 15
U.S.C. 7704(a)(1), 7704(a)(2), 7704(b)(1)(A)(ii), 7704(b)(3), and 7705 for various products, including prescription drugs, cigarettes, downloads, e-books,
and cash advances; and
Massachusetts v. Leo Kuvayev; Vladislav Khokholkov; Anna Orlova; Pavel Tkachuk; Michelle Marco; Dennis Nartikoev; Pavel Yashin; 2K Services, Ltd.; and
Ecash Pay, Ltd. Suffolk superior court; led May 11, 2005, alleging violations of 15 U.S.C. 7704(a)(1), 7704(a)(3)(A)(i) and (ii), 7704(a)(5)(A)(i) and (iii),
and 7704(b)(1) for counterfeit drugs, pirated software, pornography, and mortgage loans.